Tuesday, October 22, 2013

Dual-boot Fedora 18 and Windows 7, with full disk encryption configured on both OSs

How to dual-boot Fedora 18 and Windows 7 with full disk
encryption (FDE) configured on both operating systems stems from a
request from K. Miller. The dual-boot system will be on a single hard
disk drive (HDD), GRUB will be installed in Fedora’s boot partition, and
Truecrypt will be used to encrypt the Windows 7 end of the
installation.
Encrypting Windows when dual-booting it with a Linux distribution is
not something I’ve ever considered doing simply because I don’t care a
whole lot about that operating system. But K. Miller’s request and
suggestion prompted me to take a look at the possibility.
And I didn’t think it was going to be a difficult process until I
started. First, I tried Fedora 18 and Windows 8 Pro, with UEFI enabled.
That didn’t work. Then I tried Ubuntu 12.10 and Windows 8, also with
UEFI enabled. That proved to be even more difficult, mostly because of
the issue I wrote about in Why is Windows 8 on SSD invisible to Ubuntu 12.10′s installer?. That problem also affects HDDs.
After almost one full day of trying, I decided to honor K. Miller’s
original request, which was for a tutorial on how to “dual boot a Linux
(Fedora 18) encrypted partition alongside a Windows 7,” with “full disk
encryption for both installations.”
We all know the benefits of dual-booting, but why is it necessary to
encrypt both ends of such a system? You’ll find the answer in How Fedora protects your data with full disk encryption. Extending disk encryption to the Windows end of a dual-boot system makes for a more physically secure system.
This is a long tutorial, but keep in mind that the approach I used in
this article is not the only way to go about it. It should provide a
template for how this can be done.
So, if you want to go along with me, here are the tools you’ll need:

An existing installation of Windows 7, or if you are willing to
reinstall, a Windows 7 installation CD. Since I don’t keep a running
Windows system, a fresh installation was used for this tutorial.

Truecrypt. This is the software that will be used to encrypt Windows 7. It is an “open source” software available for download here.
Note that Windows has its own disk encryption system called BitLocker.
So why not use it instead of a third-party tool like Truecrypt?
To use BitLocker, your computer must have a compatible Trusted
Platform Module (TPM). The other reason not to use BitLocker this: It is
a Microsoft tool. As such, you can bet your left arm that it has a
backdoor. And no, I don’t have any evidence to back that up, but this is
Microsoft we are talking about.
One more thing to note: Though Truecrypt is listed on the project’s
website as an open source software, its license, TrueCrypt License 3.0,
is not listed under GPL-Compatible and GPL-Incompatible Free Software
Licenses available here. It is also not listed as an OSI-approved license. Just two points to keep in mind.

An installation image of Fedora 18, which is available for download here.

If you have all the pieces in place, let’s get started.
1. Install Windows 7 or shrink an existing C drive:
If you are going to install a fresh copy of Windows 7, be sure to leave
sufficient disk space for Fedora 18. If you have an existing
installation of Windows 7, the only thing you need to do here is to free
up disk space for the installation of Fedora 18.
The HDD I used for this installation is 600 GB in size. The next
screen shots show how I used Windows 7′s partition manager to recover
disk space that I used for Fedora 18. How you divvy up your HDD is up to
you. For my test system, I split the HDD in half, one half for Windows
7, the other half for Fedora 18. This screen shot shows the partitions
as seen from Windows 7. Right click on C and select “Shrink Volume.”
And this is the Shrink Volume window. Make your selection and click on Shrink.
Here’s the result of the shrinking operation. That unallocated space
is what will be used to install Fedora 18. Reboot the computer with the
Fedora 18 installation CD or DVD in the optical drive.

2. Install Fedora 18: I know the latest version of Anaconda that shipped with Fedora 18 has received muchas
bad press, but that is not going to be an issue here. Well, in a sense,
it will be, but the difficulty it presents is just a minor bump on this
road. The difficulty stems from the fact that the installer does not
give you the option to install GRUB, the boot loader in a custom
location. But that is a minor issue, as there is a simple solution to
it. It involves working from the command-line, but trust me, it’s a
piece of cake.
This screen shot shows the main Anaconda window, the “hub” in the
hub-and-spoke installation model. The only thing you’ll have to do here
is click on Installation Destination.
If you have more than one HDD attached to the computer you are using,
they will all be shown at this step. Select the one you wish to use and
check “Encrypt my data. I’ll set a passphrase later.” Click on the Continue button.
LVM, the Linux Logical Volume Manager,
is the default disk partitioning scheme. No need to change that, but
you’ll have to check “Let me customize the partitioning of the disks
instead.” Continue.
This is a partial screen shot of the manual disk partitioning step.
But don’t worry. There will be no need to do the partitioning yourself.
Anaconda will take care of it. We just need to make sure that it will be
using the free, unpartitioned space on the disk. The “Unknown” is
actually Windows 7. You can see its partitions.
This is another partial screen shot from the same step. This one is,
however, showing the options available for Fedora 18. At the bottom of
the window you can see the free space available for use. If you let
Anaconda partition the space automatically, that is the space it will
use. The Windows 7 half of the disk will be untouched. Since there’s no
need to create the partitions manually, click on “Click here to create
them automatically.”
Here are the Fedora 18 partitions that Anaconda just created. Nothing to do here, so click Finish Partitioning.
Because you elected to encrypt the space used by Fedora 18, Anaconda
will prompt you to specify the passphrase that will be used for
encryption. As I noted in Fedora 18 review, Anaconda will insist on a strong password. Save Passphrase.
Back to the main Anaconda window, click Begin Installation. On the window that opens after this, be sure to specify a password for the root account.
Throughout the Fedora installation process, I’m sure you noticed that
Anaconda did not give you the option to choose where to install GRUB 2,
the version of the GRand Unified Bootloader used by Fedora. Instead it
installs it in the Master Boot Record (MBR), the first sector of the
HDD, overwriting the Windows 7 boot files. So when you reboot the system
– after installation has completed successfully, you will be presented
with the GRUB 2 boot menu.
At this point, you might want to boot into Windows 7 just to be sure
that you can still do so. Then boot into your new installation of Fedora
18. Complete the second stage of the installation process, and log in
when you are done.

3. Install GRUB 2 to Fedora’s boot partition:
Once inside Fedora, the next task is to install GRUB in the Partition
Boot Record (PBR) of the boot partition, that is, the first sector of
the boot partition. Once in Fedora, launch a shell terminal and su to root. To install GRUB 2 in the boot partition’s PBR, you need to know its partition number or device name. The output of df -h will reveal that information. On my installation, it is /dev/sda3. Next, type grub2-install /dev/sda3. The system will complain and refuse to do as instructed. Not to worry, you can force it.
To compel it to install GRUB 2 where we want, type add “- -force” option to the command, so that it reads grub2-install – -force /dev/sda3.
Once that’s done, reboot the computer. Note that completing this step
does not remove GRUB from the MBR. It just installs another copy in the
boot partition. At the next step, GRUB will be removed from the MBR.
4. Restore Windows 7′s boot manager to the MBR:
When the computer reboots, you will still see Fedora’s boot menu, but
instead of booting into Fedora 18, boot into Windows 7. The next task is
to restore its boot program
to the MBR and add an entry for Fedora 18 in its boot manager’s menu.
The program I know that makes it easy to do that, is EasyBCD. Download
it from here. Note that
EasyBCD is free for personal use. After installing it, start it, if it
does not start automatically. Shown below is its main window. Click on Add New Entry to begin.
Then click on the Linux/BSD tab. Select GRUB 2 from the Type dropdown menu, and edit the Name field to match. Click on Add Entry.
This is a preview of what the entries will be on the boot menu of
Windows 7. The final task is to restore the Windows 7 boot program to
the MBR. To do that, click on BCD Deployment.

Under MBR Configuration Options, make sure that the first option is selected. Then click on Write MBR. Exit EasyBCD and reboot the computer.
If you reboot the computer after that last operation, you will be
presented with Windows 7′s boot menu. Test to make sure that you can
boot into either OS. When you are satisfied, reboot into Windows 7 to
start the last series of steps in this operation.
5. Encrypt Windows 7 with Truecrypt:
If you’ve not downloaded Truecrypt, you may do so now, and install it.
Start it by clicking its icon on the desktop. Throughout this step, very
little extra explanation is necessary because the on-screen
explanations will suffice. So, at this step, the default is good. Next.
Click Create Volume.
Select the last option as shown, then Next.
The first option is it. Next.
For obvious reasons, the last option offers a more (physically) secure system. Next.
Though not indicated in this screen shot, I chose “No”. I think the on-screen explanation is sufficient.
Last option, then Next.

Yes.
“Yes,” then Next.
First option, then Next.
It was, but we rectified this when we restored Windows boot program to the MBR. So, select “No.” Next.
This is fine. What will happen is that after this process is completed, pressing the Esc
key at Truecrypt’s boot menu will drop you to Fedora’s boot menu.
Because Fedora is also encrypted, being able to bypass Truecrypt’s boot
menu to get to it does not compromise the integrity of the system’s
physical security Next.
The default encryption algorithm is strong enough, but there are
other options, if you feel otherwise. For this test system, I chose the
default. Next.
Pick a strong passphrase. Next.
Follow the on-screen instructions, then Next.Next.Next.OK.

Burn.
Insert a blank CD-R in the optical drive, then click Next. After you’re done creating the Truecrypt Rescue Disk (TRD), you can transfer it to a USB stick, if you like that better.
If the TRD is created successfully, click Next.
For better encryption, choose a “Wipe Mode” from the dropdown menu. Next.Test.OK.
If you’ve followed all the steps as specified, there should be no problem here. Encrypt.
It took two hours for the encryption of my test system to complete.
Note that the time it takes is a function of the size of the disk being
encrypted, and the wipe mode you chose. The good thing here is that you
can still be using the system while Truecrypt is completing the task.
Otherwise, take a walk and come back after the estimated time to
completion.Finish.